DATA PROTECTION LAW AT THE DUBAI INTERNATIONAL FINANCIAL CENTRE AND GENERAL DATA PROTECTION REGULATION IN THE EU (GDPR) A COMPARATIVE APPROACH
This article compares the DIFC DP Law to the European GDPR, it aims to discuss the material differences between the two data protection laws and in turn elucidate on the strengths and drawbacks of the DIFP DP Law
he United Arab Emirates (UAE) has in recent years become a prevalent business hub, appealing to the commercial sector through its various economic zones known as free zones. Each free zone in the UAE has its own applicable rules and regulations, the Dubai International Financial Centre (DIFC) being one such free zone that follows an English common law framework. In July 2020, the DIFC enacted a new data protection law, namely, the Data Protection Law No.5 of 2020, “DIFC DP Law” here on, repealing the previous DIFC DP Law No.1 of 2007.
The DIFC DP Law is widely considered a progressive and welcome development in the Middle East as it incorporates elements from best practices such as the General Data Protection Regulations (“GDPR”) and the California Consumer Privacy Act (“CCPA”). This article compares the DIFC DP Law to the European GDPR, it aims to discuss the material differences between the two data protection laws and in turn elucidate on the strengths and drawbacks of the DIFP DP Law. It is important to note that although this article aims to examine the differences of each respective data protection law, the discussion is non-exhaustive.
DEFINITIONS AND BACKGROUND
The enactment of well-drafted data protection laws and regulations is an important step in the development of the rights and freedoms of individuals who provide data to companies and make use of services that process any such data. To put simply, data protection laws address and place obligations on “Controllers” and “Processors” to safeguard the rights and information provided by “Data Subjects”. The following list of definitions are those pertaining to the DIFC DP Law found in Schedule 1 (3), which however, remain similar to the definitions incorporated in the GDPR.
1. Controller – any person who alone or jointly with others determines the purposes and means of the Processing of Personal Data.
2. Processor – any person who Processes Personal Data on behalf of a Controller.
3. Data Subject – the identified or Identifiable Natural Person to whom Personal Data relates.
4. Processing – any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage
5. & archiving, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, transfer or otherwise making available, alignment or combination, restricting (meaning the marking of stored Personal Data with the aim of limiting Processing of it in the future), erasure or destruction
LAWFULNESS OF PROCESSING
To begin with, there exist legal grounds for processing data that are applicable to controllers and processors. Personal data cannot be processed unless such activity falls into the regulatory standards. The grounds for processing data are similar for both DIFC DP Law and GDPR. The legal bases for processing data are found in Article 10 of the DIFC DP Law and include the following:
1. Consent – where the data subject has given consent.
2. Contract – where the processing of data is necessary to perform the contract to which a data subject is a party.
3. Compliance with the Law – where the controller must process the data out of legal obligation.
4. Protection of Interest – where processing is necessary to protect the vital interests of the data subject.
5. Performance of a task – where it is necessary to process data for a company to be able to perform a task in public interest or to carry out its official functions.
6. Legitimate Interests – Where the processing is necessary for legitimate interests such as carrying out administrative work.
The lawfulness of data processing largely remain the same for both the GDPR as well as the DIFC DP Law. The DIFC DP Law, however, enacts additional provisions and takes a more demanding stance for the grounds of consent under Article 12 (6) and (7). Under the DIFC DP Law, taking the informed consent of a data subject once is not sufficient as this should be on going and continuous.
When it comes to obtaining consent from the data subjects, the two laws agree that consent is of prime importance and it should be obtained freely with a clear affirmative act. The DIFC DP Law under Article 12 (7) additionally requires controllers to re-affirm consent where the processing is on-going and more than just a “single discrete incident”. The data subject in this case must be contacted without undue delay and must be asked to re-affirm the consent. This should also be done where the data subject would no longer reasonably expect for the processing to be continuing.
A simple test as to whether a controller is in breach of GDPR or DIFC DP Law would be as follows:
You visit an e-commerce website that asks you for your personal information such as name, address, bank account details, however, before you can proceed to shop or pay, the website presents you with a pop-up that includes two boxes which are ticked by default. You must “un-click” the boxes yourself if you do not consent for your data to be processed and for your data to be used in profiling. If you inadvertently proceed to click “ok” or “accept” and do not untick the boxes, there has been a data breach on the part of the controller. You have not given your consent voluntarily as this was done by default. Data subjects making use of websites must always heed caution to the way in which their consent is obtained.
Controllers that use WhatsApp may involuntarily be in breach of data protection laws. As data subjects, upon downloading WhatsApp and creating an account, we are presented with a set of data processing terms and conditions, WhatsApp then proceeds to request our consent to which we click accept. Rarely, do data subjects ponder over what happens when companies, who are also controllers themselves, use WhatsApp as a medium to connect with clients or other colleagues, sharing personal and confidential data. Merely relying on consent given to WhatsApp is not sufficient. Controllers must either ask the client to read the terms and conditions of WhatsApp or ask their client’s explicit and unequivocal consent.
A disclaimer is made on the WhatsApp website about third parties that states the following:
“Information Others Provide About You. We receive information about you from other users… We require each of these users to have lawful rights to collect, use, and share your information before providing any information to us.”
As such it is the duty of a controller to inform and obtain the consent of the data subject. Law-abiding controllers will usually inform the client at the outset that WhatsApp will be used a medium to communicate and proceed to obtain the client’s consent before any communication or data sharing.
An important element of the DIFC DP Law is re-affirmation of consent. In a situation where the data subject is no longer a client and as such would no longer reasonably be expected for their data to be processed, the controller must communicate the processing to the data subject and request for their consent again.
APPOINTMENT OF DATA PROTECTION OFFICER (DPO)
The DIFC DP Law and the GDPR both contain provisions for the appointment of Data Protection Officers (DPO) tasked with ensuring controllers and processors are in compliance with the data protection laws. The circumstances where DPO’s should be appointed by controllers are largely the same under both the DIFC DP Law and GDPR. Under Article 16 of the DP Law, a controller will be required to appoint a DPO where they are processing High Risk Activities. High Risk Activities under Schedule 1 (3) of the DP Law include the processing of large amounts of personal data including sensitive data at high risk to the data subject. High Risk Processing Activities will also include the processing of personal data where it is systematic and where there is an extensive evaluation of data which includes profiling. As per the GDPR, the appointment of a DPO applies to all controllers or processors processing large scale and systematic monitoring of individuals and where the processing of personal data includes sensitive information or information relating to criminal convictions and offenses on a large scale. The two provisions are similar, however, the DIFC DP Law also requires the appointment of a DPO where the processing will include the adoption of new or different technologies which will increase the risk to the safety of personal data as this is also considered a High Risk Activity.
Another important provision of DIFC DP Law that is Article 16(4), which states that controllers who are not processing High Risk Activities per se and who are not required to appoint a DPO must still designate an individual to oversee compliance with the law and be readily available to report to the Commissioner. This is an additional aspect of the DIFC DP Law in comparison to the GDPR, it ensures that there remains a designated individual at all times regardless of the fact that the controller is not carrying out High Risk Processing Activities. The designated individual not only oversees the controller’s compliance but may at times also be required to report to the commissioner. This provision is welcome and innovative as it prioritizes the safety of personal data regardless of its quantity and sensitivity and adds additional protective barriers to prevent breaches.
DATA PROTECTION IMPACT ASSESSMENT
Data Protection Impact Assessments (DPIA) are an integral part of Data Protection which involves undertaking an assessment of the impact of the processing of personal data and the risks to the data subjects. Under Article 35 (3) of the GDPR, there is an express requirement of circumstances that would require the undertaking of DPIA as opposed to Article 20 of the DIFC DP Law, where although reference is made to the undertaking of a DPIA (when the controller carries out High Processing Activities), there exist no express conditions where there is an obligation. To go further Article 35 (4), the GDPR states that the supervisory authority shall create a list, accessible to the public, of processing activities that would require the carrying out of a DPIA. This can be contrasted with Article 20 (4) of the DIFC DP Law that states “the Commissioner may at his discretion publish a non-exhaustive list of types or categories of Processing operations that are considered to be High Risk Processing Activities”. This demonstrates that the provision of a list is not an obligation for the commissioner, removing the element of discretion in the clause would render it an obligation which in turn would mean more clarity for controllers and processors and therefore more of a chance that controllers would carry out the necessary DPIA in accordance with the law to ensure a more secure form of data protection for data subjects.
Although the DIFC DP Law does not incorporate an express requirement for a DPIA, there exists a pertinent supplementary provision not found in the GDPR. Article 19 of DIFC DP Law states that where the controller is obliged to appoint a DPO, the DPO shall carry out an assessment of the controller’s processing activities, once a year, which is also known as the “Annual Assessment”. This annual assessment shall then be submitted to the commissioner for review.
DATA SUBJECTS RIGHTS – RIGHT NOT TO BE DISCRIMINATED AGAINST
The DIFC DP Law as well as the GDPR both contain comprehensive Articles ensuring the rights and freedoms of data subjects. Both data protection laws focus on anti-discrimination against protected characteristics of data subjects such as race, gender, disability. Both the DIFC DP Law and the GDPR enact provisions giving data subjects rights to their data such as right to withdraw consent, right to access, rectification and erasure of personal data.
The DIFC DP Law enhances the rights of data subjects further by inserting a provision into the law prohibiting controllers from discriminating against data subjects exercising their rights within the DP Law. Article 39 of DIFC DP Law reads as follows:
1. A Controller may not discriminate against a Data Subject who exercises any rights under this Part 6, including by:
(a) denying any goods or services to the Data Subject;
(b) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
(c) providing a less favorable level or quality of goods or services to the Data Subject; or
(d) suggesting that the Data Subject will receive a less favorable price or rate for goods or services or a less favorable level or quality of goods or services.
Where the data subject refuses for their data to be processed, a controller in the DIFC cannot deny them their services based solely on this decision as this would be discriminatory. This provision goes further than the GDPR and follows the California Consumer Privacy Act (CCPA) in incorporating the provision and as such creates a more secure form of protection by using a blend of provisions from both the CCPA and the GDPR.
The DIFC DP Law takes a different approach to notification of personal data breaches than those in the GDPR and the CCPA. Article 41 of the DIFC Law states “if there is a Personal Data Breach that compromises a Data Subject’s confidentiality, security or privacy, the Controller involved shall, as soon as practicable in the circumstances, notify the Personal Data Breach to the Commissioner.”
This provision raises two important issues, firstly that the personal data breach must be such that it compromises a data subjects’ confidentiality, security or privacy. Secondly, that the notification must be done as soon as practicable in the circumstances. “As soon as practicable” leaves room for ambiguity and as such does not give the controller a strict timeframe during which he must comply in alerting the commissioner of such data breach. The second issue with the provision entails that the only time the commissioner should be notified of any data breach is when it compromises the security of the data subjects.
The wording used in this provision is not seen in the GDPR or the CCPA which state that any breach should be communicated to the supervisory authority. For instance, Article 33 (1) of the GDPR states that “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”.
This provision demonstrates exigency and importance in reporting the data breach to the relevant authority and adds a timeframe.
FINES AND PENALTIES
Schedule 2 of the DIFC DP Law entails a list of fines and penalties applicable to data controllers and processors. The fines range from USD 10,000 to a maximum of USD 100,000. This is a different approach to that taken by the GDPR, which groups fines under two categories, less severe infringements and more serious infringements. Under Articles 82 and 83 of the GDPR, the less severe infringements could result in a fine of up to EUR 10,000,000 in contrast with more serious infringements which could lead to fines of up to EUR 20,000,000. The variance in figures is paramount as it instills a sense of importance to data subjects and their rights and freedoms, the ramifications of such breaches have a great impact on the caution exercised by controllers in processing personal data. Although the DIFC DP Law has taken the lead with its data protection provisions in the region, it is expected that amounts payable in fines are to become more stringent over the years.
THE DIFC DP LAW AS IT STANDS
The DIFC DP Law is an important development in Data Protection Law, particularly for the Middle East, the inspiration it draws from the CCPA and GDPR in some ways renders this piece of legislation more progressive than its counterpart. The added provisions against discrimination, the undertaking of annual assessments, the provisions that require designated individuals where DPO’s need not be appointed contribute to its modernity and demonstrate its commitment to the rights and liberties of its data subjects.
We deem the impact of the DIFC Data Protection Law as generational in the Middle East region. The region is massively investing in technology, reg-tech and artificial intelligence; therefore such regulation is paramount to the success of the regulatory landscape and of the data security overall. Following the example of its predecessor (e.g the GDPR), the DIFC Data Protection Law has set grounds for new enactments. Recently, the Kingdom of Saudi Arabia has issued data protection legislation, a field on which we would be happy to discuss on a different occasion.